Writing Security Tools and Exploits

Chapter 5: Exploits: Format Strings

Introduction

In the summer of 2000, the security world learned of a significant new type of software security vulnerability. This subclass of vulnerabilities, known as format string bugs, was made public when an exploit for the Washington University FTP daemon (WU-FTPD) was posted to the Bugtraq mailing list on June 23, 2000. The exploit allowed remote attackers to gain root access on hosts running WU-FTPD without authentication, if anonymous File Transfer Protocol (FTP) was enabled (it was, by default, on many systems). This was a very high profile vulnerability, because WU-FTPD is used widely on the Internet.

As serious as it was, the fact that tens of thousands of hosts on the Internet were instantly vulnerable to complete remote compromise, was not the primary reason that this exploit was such a huge shock to the security community. The real concern was the nature of the exploit and its implications for software everywhere. This was a completely new method of exploiting programming bugs previously thought to be benign, and was the first demonstration that format string bugs were exploitable.

Format string vulnerabilities occur when programmers pass externally supplied data to a printf function (or similar) as, or as part of, the format string argument. In the case of WU-FTPD, the argument to the SITE EXEC ftp command when issued to the server was passed directly to a printf function.

Shortly after knowledge of the format string vulnerabilities was made public, exploits for several programs became publicly available. As of...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Network Clock Sources
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.